Data Protection Policies, Procedures and Privacy Notices

Report reference number:: 028-24
Classification:: Not protectively marked
Title of report:: Data Protection Policies, Procedures and Privacy Notices
Area of county / stakeholders affected:: Countywide
Report by:: Darren Horsman
Date of report:: 13/02/2024
Enquiries to:: [email protected]

1. Executive Summary

This report covers a number of updates to data protection policies, schedules and privacy notices following a GDPR Internal Audit undertaken in 2023.

2. Recommendations

That the Commissioner agrees the documents listed below which have been updated following the 2023 GDPR Internal Audit and that provide greater detail and clarity around how data will be handled and retained by the Commissioner’s office.
o Record Retention Policy
o Record Retention Schedule
o Data Protection Policy
o Privacy Notices x 3

3. Background to the Proposal

The Data Protection Act 2018 regulates the processing of information relating to individuals. This includes the obtaining, holding, using or disclosing of such information and covers computerised records as well as manual filing systems and card indexes. The General Data Protection Regulation (GDPR) was applied from 25 May 2018 (replaced by UK GDPR in January 2021). The UK GDPR places greater emphasis on the documentation that data controllers must keep in order to demonstrate their accountability. This Regulation is inherent in the requirements of the Data Protection Act 2018.
The PFCC for Essex is a registered Data Controller (registration no. Z3451171). The PFCC, in providing a service as a public authority, collects, stores and processes personal information. The PFCC must comply with the provisions of the Data Protection Act, UK GDPR and other relevant legislation when processing personal information.
Significant work was undertaken prior to the introduction of the GDPR in May 2018. An internal audit was also commissioned by the PFCC shortly after these regulations came into force and undertaken by RSM. The purpose of the internal audit was to provide a “factual analysis of data protection controls framework against GDPR requirements and obligations introduced in May 2018.”
A follow up audit was undertaken in 2020 and the final report published in July 2020. Through this process several areas for improvement were identified and implemented. The recommendations from the internal audit were accepted, actioned and closed by August 2020.
In 2023 a further GDPR Audit was undertaken which was shared with SMT in October. A number of improvements and actions were identified, and these are in the process of being actioned. The decisions sought in this report are linked to and build upon the previous decisions undertaken by the Commissioner for other elements of the 2023 GDPR Audit Recommendations.
2023 – 157 – Access to Information Policy and Records Retention Policy
2023 – 198 – SMT ToR
2024 – 008 – Revised Grant Agreement

4. Proposal and Associated Benefits

This decision report seek approval for the updated records retention schedule which sets out how long information will be held by the Commissioner, where it will be held and who the information asset owner is. This schedule sits alongside the Records Retention Policy which was agreed in decision report 2023-157 but has also been included in this decision report for completeness.
This report also seeks approval of an updated Data Protection Policy that has taken into account the feedback from the internal audit and added significant levels of details, changed the presentation and layout to make it easier to understand and updated a number of references.

Finally, the report seeks approval of three separate but connected privacy notices one for employees, one for volunteers and one for use on our website. These set out for each audience how we will collect, use and dispose of the data we collect, what purpose we will use this data for and how it will be stored.
Collectively and taken together with the previous documents agreed by the Commissioner this suite of documents establishes a robust and tested data protection framework that provides the Commissioner with reassurance that data Iis being handled and managed lawfully and appropriately within their office. The updated documents also provide the further reassurance that these documents have been recently audited and updated following the recommendations provided.

5. Options Analysis

The Commissioner could choose not to accept these revised documents and request that they are further updated, however, this is not recommended as the documents have been updated following an internal audit, having taken on board expert professional advice and having been discussed at the Commissioner’s Senior Management Team meeting.

6. Consultation and Engagement

The documents have been updated following advice and guidance from BLS Stay Compliant a specialist data protection consultancy.

7. Strategic Links

Trust in policing is fundamental to maintaining a safe and secure community. As the PFCC is responsible for the totality of policing in the county if they or their office were to handle data poorly, have weak systems and processes or commit a data breach, it would have a direct impact on the trust that partners and the public had in them and as a result could damage trust and confidence in policing. This would undermine the trust and confidence that flows through the PFCC’s Police and Crime Plan and Fire and Rescue Plan and as such it is a key foundation to their strategic agenda.

8.Police Operational Implications

The Commissioner, through information sharing agreements, does get access to sensitive information and this decision will provide additional reassurance that this data is being handled appropriately.

9. Financial implications

There are no financial implications from this decision.

10. Legal implications

This decision supports the PFCC’s legal obligation under the Data Protection Act and General Data Protection Regulations to handle data appropriately. The specific decision also brings the Commissioner closer to the Information Commissioner’s published best practice.

11. Staffing Implications

These documents will be shared with staff who will be required to comply with them. The privacy notices will also provide clear information to employees of how their data will be handled.

12. Equality and Diversity implications

While this decision does not have a direct impact on the Commissioner Equality Duty it does include reference to special category personal data which often includes details about a person’s protected characteristics. As required in legislation the Commissioner’s Data Protection framework sets out how this Special Category Data will be handled appropriately. This should provide additional reassurance that the
Commissioner is clearly considering and acting upon is general equality duty and the need to ensure systems, processes and policies work for people with protected characteristics.

13. Risks and Mitigations

These documents mitigate the risk that data is handled inappropriately leading to the risk of a data breach.

14.Governance Boards

These documents were discussed at the PFCC’s SMT on the 29 January 2024.

15.Links to future Plans

This is not part of a future plan but rather part of a programme of ongoing development and improvement in how data is managed.

16.Background Papers and Appendices

Annex A – Record Retention Policy
Annex B – Record Retention Schedule
Annex C – Data Protection Policy
Annex D – Employee Privacy Notices
Annex E – Volunteer Privacy Notices
Annex F – Website Privacy Notices